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1.Refer to the exhibit 
config system sdn-connector 


edit “azure-globalsdn-iam-ha” 
set status enable 
set type azure 
set use-metadata-iam enable 
set ha-status enable 
set subscription-id " 
set resource-group " 
set azure-region global 
config nic 
edit “fgta-ap-porti” 
config ip 
edit "ipconfig1" 
set public-ip “fgt-ap-cluster” 
set resource-group “fortigate-ha-training” 
next 
end 
next 
end 
contig route-table 
edit “az_spoke?_useast_web” 
set subscription-id “bc0e730b-2345-4c66-9a74-efdfcIxxxxxxx" 
set resource-group “fortigate-ha-training” 
config route 
edit "default_spoke1_web” 
set next-hop "10.60.5.4" 
next 
edit "az_spoke1_useast_app" 


set next-hop "10.60.5.4" 
next 


set update-interval 40 


next 


You deployed an HA active-passive FortiGate VM in Microsoft Azure. 
Which two statements regarding this particular deployment are true? (Choose two.) 
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A. During the failover, the passive FortiGate issues API calls to Azure 

B. Use the vdom-excepticn command to synchronize the configuration. 

C. There is no SLA for API calls from Microsoft Azure. 

D. By default, the configuration does not synchromze between the primary and secondary devices. 
Answer: A D 

Explanation: 

- Ais correct because in this deployment, the passive FortiGate issues API calls to Azure to update the 
routing table and the public IP address of the active FortiGate123. This way, the traffic is redirected to the 
new active FortiGate after a failover. 

- B is incorrect because the vdom-exception command is used to exclude specific VDOMs from being 
synchronized in an HA cluster.This command is not related to this deployment scenario. 

- C is incorrect because Microsoft Azure does provide an SLA for API calls. According to the Azure 
Service Level Agreements, the API Management service has a monthly uptime percentage of at least 
99.9% for the standard tier and higher. 

- Dis correct because by default, the configuration is not synchronized between the primary and 
secondary devices in this deployment. The administrator needs to manually enable configuration 
synchronization on both devices123. Alternatively, the administrator can use FortiManager to manage and 
synchronize the configuration of both devices4. 


2.Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true? 

A. TGW can have multiple TGW route tables. 

B. Both the TGW attachment and propagation must be in the same TGW route table 

C. ATGW attachment can be associated with multiple TGW route tables. 

D. The TGW default route table cannot be disabled. 

Answer: A 

Explanation 

According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that 
connects VPCs and on-premises networks. A transit gateway route table is a set of rules that determines 
how traffic is routed among the attachments to the transit gateway1. 

Atransit gateway can have multiple route tables, and you can associate different attachments with 
different route tables. This allows you to control how traffic is routed between your VPCs and VPNs based 
on your network design and security requirements1. 

The other options are incorrect because: 

- Both the TGW attachment and propagation must be in the same TGW route table is not true. You can 
associate an attachment with one route table and enable propagation from another attachment to a 
different route table. This allows you to separate the routing domains for your attachments1. 

- A TGW attachment can be associated with multiple TGW route tables is not true. You can only associate 
an attachment with one route table at a time. However, you can change the association at any time. 

- The TGW default route table cannot be disabled is not true. You can disable the default route table by 
deleting all associations and propagations from it. However, you cannot delete the default route table 
itself1. 

1: Transit Gateways - Amazon Virtual Private Cloud 


3.What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? 
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(Choose two.) 

A. You cannot use Network ACL and Security Group at the same time. 

B. The default network ACL is configured to allow all traffic 

C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering 

D. Network ACLs are tied to an instance 

Answer: B C 

Explanation 

B. The default network ACL is configured to allow all traffic. This means that when you create a VPC, AWS 
automatically creates a default network ACL for that VPC, and associates it with all the subnets in the 
VPC1. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, 
IPv6 traffic1. You can modify the default network ACL, but you cannot delete it1. 

C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means 
that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet 
separately1. Therefore, you need to create both inbound and outbound rules for each type of traffic that 
you want to allow or deny1. For example, if you want to allow SSH traffic from a specific IP address to 
your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an 
outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2. 

The other options are incorrect because: 

- You can use network ACL and security group at the same time. Network ACL and security group are two 
different types of security layers for your VPC that can work together to control traffic3. Network ACLacts 
as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both 
of them to create a more granular and effective security policy for your VPC. 

- Network ACLs are not tied to an instance. Network ACLs are associated with subnets, not instances1. 
This means that network ACLs apply to all the instances in the subnets that they are associated with1. 
You cannot associate a network ACL with a specific instance. However, you can associate a security 
group with a specific instance or multiple instances3. 


4.You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task 
in the minimum amount of time without making errors. 

Which Amazon AWS services must you subscribe to accomplish your goal? 

A. GuardDuty, CloudWatch 

B. WAF, DynamoDB 

C. Inspector, S3 

D. CloudWatch, S3 

Answer: D 

Explanation 

The correct answer is D. CloudWatch and S3. 

According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the 
following AWS services: 

- CloudWatch: A monitoring and observability service that collects and processes events from various 
AWS resources, including Transit Gateway attachments and route tables. 

- S3: A scalable object storage service that can store the configuration files and logs generated by the 
Lambda function. 

By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit 
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Gateway Connect attachments for your FortiGate devices. This can help you save time and avoid errors 
when adding more spoke VPCs to an existing hub and spoke topology1. 

The other AWS services mentioned in the options are not required for this task. GuardDulty is a threat 
detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts 
and workloads. WAF is a web application firewall that helps protect web applications from common web 
exploits. Inspector is a security assessment service that helps improve the security and compliance of 
applications deployed on AWS. DynamoDB is a fast and flexible NoSQL database service that can store 
various types of data. 

1: GitHub - fortinet/aws-lambda-tgw 


5.Which two Amazon Web Services (AWS) features support east-west traffic inspection within the AWS 
cloud by the FortiGate VM? (Choose two.) 

A. ANAT gateway with an EIP 

B. A transit gateway with an attachment 

C. An Internet gateway with an EIP 

D. A transit VPC 

Answer: B D 

Explanation 

The correct answer is B and D. A transit gateway with an attachment and a transit VPC support east-west 
traffic inspection within the AWS cloud by the FortiGate VM. 

According to the Fortinet documentation for Public Cloud Security, a transit gateway is a network transit 
hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that 
connects a VPC or VPN to a transit gateway. By using a transit gateway with an attachment, you can 
route traffic from your spoke VPCs to your security VPC, where the FortiGate VM can inspect the traffic1. 
A transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, 
remote networks, and virtual private networks (VPNs). By using a transit VPC, you can deploy the 
FortiGate VM as a virtual appliance that provides network security and threat prevention for your VPCs2. 
The other options are incorrect because: 

-A NAT gateway with an EIP is a service that enables instances in a private subnet to connect to the 
internet or other AWS services, but prevents the internet from initiating a connection with those instances. 
ANAT gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the 
FortiGate VM3. 

- An Internet gateway with an EIP is a horizontally scaled, redundant, and highly available VPC 
component that allows communication between instances in your VPC and the internet.An Internet 
gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate 
VM4. 

1: Fortinet Documentation Library - Deploying FortiGate VMs on AWS 

2: [Fortinet Documentation Library - Transit VPC on AWS] 

3: [NAT Gateways - Amazon Virtual Private Cloud] 

4: [Internet Gateways - Amazon Virtual Private Cloud] 


6.Refer to the exhibit 
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[ec2-user@ip-10-0-6-200 ~]$ sudo yum -y install unzip 

Last metadata expiration check: 0:02:31 ago on Sun Jul 23 22:12:44 2023. 
Package unzip-6.0-57.amzn2023.0.2.x86_64 is already installed. 
ependencies resolved. 

Nothing to do. 

omplete! 


[ec2-user@ip-10-0-0-200 ~]$ unzip terraform_${TERRAFORM VER} linux_amd64.zip 
Archive: terraform_1.5.3_linux_amd64.zip 
inflating: terraform 
[ec2-user@ip-10-0-@-200 ~]$ terraform version 
-bash: terraform: command not found 
[ec2-user@ip-10-0-6-200 ~]$ 


You are tasked with deploying FortiGate using Terraform. When you run the terraform version command 
during the Terraform installation, you get an error message. 

What could be the reason that you are getting the command not found error? 

A. You must move the binary file to the bin directory. 

B. You must change the directory location to the root directory 

C. You must assign correct permissions to the ec2-user. 

D. You must reinstall Terraform 

Answer: A 

Explanation 

According to the Terraform documentation for installing Terraform on Linux1, you need to download a zip 
archive that contains a single binary file called terraform. You need to unzip the archive and move the 
binary file to a directory that is included in your system’s PATH environment variable, such as 
/usr/local/bin. This way, you can run the terraform command from any directory without specifying the full 
path’. 

If you do not move the binary file to the bin directory, you will get a command not found error when you try 
to run the terraform version command, as shown in the screenshot. To fix this error, you need to move the 
binary file to the bin directory or specify the full path of the binary file when running the command1. 

1: Install Terraform | Terraform - HashiCorp Learn 


7.Refer to the exhibit 
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Transit GW 


1. Destination Next Hop 
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The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon 

Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments 

Which two steps are required to route traffic from Linux instances to the TGWQ (Choose two.) 

A. In the TGW route table, add route propagation to 192.168.0 0/16 

B. In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop 

Internet gateway (IGW). 

C. In the TGW route table, associate two attachments. 

D. In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop 
TGW. 

Answer: C D 

Explanation 

According to the AWS documentation for Transit Gateway, a Transit Gateway is a network transit hub that 
connects VPCs and on-premises networks. 

To route traffic from Linux instances to the TGW, you need to do the following steps: 

- In the TGW route table, associate two attachments. An attachment is a resource that connects a VPC or 
VPN to a Transit Gateway. By associating the attachments to the TGW route table, you enable the TGW 

to route traffic between the VPCs and the VPN. 
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- In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop 
TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the 
appropriate destination based on the TGW route table. 

The other options are incorrect because: 

- In the TGW route table, adding route propagation to 192.168.0 0/16 is not necessary, as this is already 
the default route for the TGW. Route propagation allows you to automatically propagate routes from your 
VPC or VPN to your TGW route table. 

- In the main subnet routing table in VPC Aand B, adding a new route with destination 0_0.0.0/0, next hop 
Internet gateway (IGW) is not correct, as this would bypass the TGW and send all traffic directly to the 
internet. An IGW is a VPC component that enables communication between instances in your VPC and 
the internet. 

[Transit Gateways - Amazon Virtual Private Cloud] 


8.Refer to the exhibit 


Protected A 
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Consider the active-active load balance sandwich scenario in Microsoft Azure. 

What are two important facts in the active-active load balance sandwich scenario? (Choose two) 

A. It uses the vdom-exception command to exclude the configuration from being synced 

B. It is recommended to enable NAT on FortiGate policies. 

C. It uses the FGCP protocol 

D. It supports session synchronization for handling asynchronous traffic. 

Answer: B D 

Explanation 

B. It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses 
a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and 
destination IP addresses and ports of the packets‘. If NAT is not enabled, the source IP address of the 
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packets will be the same as the load balancer’s frontend IP address, which will result in uneven 
distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable 
NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure 
optimal load balancing and routing1. 

D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate 
instances can synchronize their session tables with each other, so that they can handle traffic that does 
not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to 
FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to 
FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle 
asymmetric traffic that may occur due to the Azure load balancer’s hash-based algorithm or other factors. 
The other options are incorrect because: 

- It does not use the vdom-exception command to exclude the configuration from being synced. The 
vdom-exception command is used to exclude certain configuration settings from being synchronized 
between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the 
FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with 
standalone configuration synchronization enabled. This feature allows them to synchronize most of their 
configuration settings with each other, except for some settings that identify the FortiGate to the network, 
such as the hostname. 

- It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to 
synchronize configuration and state information between FortiGate devices in a cluster or a high 
availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability 
group, and they use standalone configuration synchronization instead of FGCP. 


9.You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM 

Which two queries does that SDN connector use to interact with the Azure management API? (Choose 
two.) 

A. The first query is targeted to a special IP address to get a token. 

B. The first query is targeted to IP address 8.8 

C. There is only one query initiating from FortiGate port1 - 

D. Some queries are made to manage public IP addresses. 

Answer: A D 

Explanation 

The Azure SDN connector uses two types of queries to interact with the Azure management API. The first 
query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent 
queries. The second type of query is used to retrieve information about the Azure resources, such as 
virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are 
made to manage public IP addresses, such as assigning or releasing them from the FortiGate 

VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, 
Troubleshooting Azure SDN connector 


